---
title: Macof
course: intro_pentest
section: Exploitation
layout: lesson
---

It should be pointed out that the discrete routing property of a switch was
originally designed to increase performance, not to increase security. As a
result of this, any increase in security should be viewed as by-product of the
design rather than its original goal. Keeping this in mind, before you run out
to replace all your hubs with switches, you should be aware that there are tools
available that can be used against a switch to make it act like a hub. In other
words, in some instances, we can cause a switch to broadcast all traffic to all
ports making it behave exactly like a hub.

Most switches have a limited amount of memory that can be used to remember the
table containing MAC address and corresponding port numbers. By exhausting this
memory and flooding the table with bogus MAC addresses, a switch will often
become incapable of reading or accessing valid entries in the MAC to port table.
Because this switch cannot determine the correct port for a given address, the
switch will simply broadcast the traffic to all ports. This model is known as
  “fail open”. The concept of fail open simply means that when the switch fails
  to properly and discretely route traffic, it falls back to a hub-like state
  (open) that sends all traffic to all ports.

You should be aware that some switches are configured to “fail closed”. Switches
that fail closed operate in exactly the opposite manner of a fail open switch.
Rather than broadcasting all traffic to all ports, fail closed switches simply
stop routing traffic altogether. However, as a penetration tester or hacker,
there is an upside to this configuration as well. If you are able to prevent the
switch from routing traffic, you have stopped all traffic on the network and
  caused a Denial of Service.

Dsniff is an excellent collection of tools that provide many useful functions
for sniffing network traffic. It’s recommended that you take time and review
  each of the tools included with dsniff. One of the dsniff tools written by Dug
  Song, called macof, provides us with the ability to flood a switch with
  thousands of random MAC addresses. If the switch is configured to fail open,
  the switch will began to act like a hub and broadcast all traffic to all
  ports. This will allow you to overcome the selective routing of a switch and
  dsniff all network traffic passing through the device. Macof is built into
  BlackArch and can be run by issuing the following command in a terminal
  window:

```
macof -i enp1s0 -s 172.16.45.123 -d 172.16.45.2
```

In the preceding example, “macof” is used to invoke the program. The macof
program will generate and flood the network with thousands of MAC addresses. The
“-i” switch is used to specify you computer’s network card. This is where the
MAC addresses will be sent from. The “-s” is used to specify the source address.
The “-d” is used to specify the destination or target of your attack.

As a final word of caution, using macof will generate tremendous amounts of
network traffic and is therefore, easily detectable. You should use this
technique only when stealth ain’t a concern.

With the concepts of promiscuous mode and the ability to sniff traffic on a
switch in mind, you can examine another popular tool that can be used to view
  and capture network traffic. One of the simplest and most powerful tools for
  sniffing network traffic is wireshark. Wireshark was originally written by
  Gerald Combs in 1998. This popular tool is a free network protocol analyzer
  that allows you to quickly and easily view and capture network traffic. You
  can download Wireshark for free from http://wireshark.org. Wireshark is an
  extremely flexible and mature tool. It should be noted that prior to 2006
  Wireshark was known as Ethereal. Although the program remained the same, the
  name changed due to some trademark issues.

Wireshark is built into BlackArch and can be accessed by issuing "`sudo
wireshark`" in a terminal window.

When you first start Wireshark inside BlackArch, you’ll get a message telling
you that “Running Wireshark as user ‘root’ can be dangerous.”. You can click
“OK” to acknowledge this warning.

Select your current network interface withing Wireshark and the home screen will
be changed by all the traffic in and out.

![](/img/courses/intro-pentest/wireshark1.png)
![](/img/courses/intro-pentest/wireshark2.png)
